The storage policy drives the encryption for virtual machines. Enable the encryption in the storage policy then assign it to the virtual machine (VM) configuration files and its disks. The replication follows the encryption status. First encrypt the VMs before adding them in the replication.
- You can replicate a vApp containing both encrypted and non-encrypted VMs.
- You can create a replication for an encrypted VM with enabled virtual Trusted Platform Module (vTPM), and with full, partial, or no encryption of the attached storage disks.
- You can also create a replication for a non-encrypted VM and encypt the VM as a part of the replication process.
Prerequisites
- Prerequisites for the versions in the source and in the destination sites:
-
- For Cloud Director sites, use vCenter Server 7.0 U2 and later, and VMware Cloud Director 10.2 and later.
- For vSphere DR and migration, use vCenter Server 7.0 U2 and later, and VMware Cloud Director Availability 4.5 and later in both the source and the destination site.
-
Note: With vCenter Server 7.0 U2 and later, you can use an external KMS or vSphere ® Native Key Provider™. Verify that the backing vCenter Server instances in the destination have a KMS with the same name and with access to the same key used to encrypt the source VM. VMware Cloud Director Availability then ensures the necessarily encryption keys are pushed to the hosts responsible for the replications.
The prerequisite for the same encryption keys comes from the underlying replication technology and applies for all supported topologies, both Cloud Director sites and for vSphere DR and migration.
- Prerequisites for the ESXi hosts in both the source and in the destination sites:
-
Install the HBR agent VIB in all the
ESXi hosts. To download the HBR agent VIB file directly from the appliance:
- Depending on the appliance type and deployment, from the following URL on the appliance download the:
- https://vCenter_Replication_Management_Appliance_Address:8043/hbr-agent.vib file.
- https://Replicator_Appliance_Address/hbr-agent.vib file.
- Alternatively, from the appliance filesystem, download the /opt/vmware/hbr/vib/vmware-hbr-agent-build_number.i386.vib file.
For more information about VIBs and how to install them, see VIBs, Image Profiles, and Software Depots in the VMware ESXi Upgrade Guide.
- Depending on the appliance type and deployment, from the following URL on the appliance download the:
- Prerequisites for the vCenter Server instances in both the source and in the destination sites:
-
- Configure a key provider in vSphere. For more information, see Virtual Machine Encryption in the vSphere Security Guide:
- For vSphere 7.0 U2 and later, configure a VMware vSphereNative Key Provider which does not require an external key server. For more information, see Configuring and Managing vSphere Native Key Provider in the vSphere Security Guide.
- Alternatively, for vSphere 7.x, configure an external key server, previously known as Key Management Server cluster and ensure that the cluster names match. For information about configuring a standard key provider, see Set up the Key Management Server Cluster in the vSphere Security Guide.
- Use the same key provider for both the source and the destination vCenter Server instances. For more information, see vSphere Native Key Provider Overview in the vSphere Security Guide.
To ensure that both sites use the same vSphere key provider, for example, backup the key provider from site A then restore it and set it as default in site B.
- In vSphere, the encrypted VMs require an encryption storage policy. For more information, see Create an Encryption Storage Policy and Create an Encrypted Virtual Machine or Encrypt an Existing Virtual Machine or Virtual Disk in the vSphere Security Guide.
- Configure a key provider in vSphere. For more information, see Virtual Machine Encryption in the vSphere Security Guide:
- Prerequisites for cloud sites backed by VMware Cloud Director:
-
- Verify that the same key provider is used in both the source and the destination vCenter Server instances. For more information, see vSphere Native Key Provider Overview or Set up the Key Management Server Cluster in the vSphere Security Guide.
- Verify that the Organization Administrator role has the vApp: View VM and VM's Disks Encryption Status right. For more information, see Rights in Predefined Global Tenant Roles in the VMware Cloud Director Tenant Portal Guide.
- Add the encryption-enabled storage policy to a provider VDC. For more information, see Add a VM Storage Policy to a Provider Virtual Data Center in the VMware Cloud Director Service Provider Admin Portal Guide.
- Add the encryption-enabled storage policy to an organization VDC. For more information, see Add a VM Storage Policy to an Organization Virtual Data Center in the VMware Cloud Director Service Provider Admin Portal Guide.
- Create an encrypted VM by applying the encryption-enabled storage policy. Replications for encrypted VMs can only include virtual machines with an encryption-enabled storage policy.
- Verify that your session is extended to the site in which the vApps or virtual machines you are about to replicate reside. For more information, see Authenticating to paired remote Cloud Director sites.
Procedure
Results
The new replication that contains only encrypted virtual machines uses encryption for the replication data communication.